[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Greg" == Greg Minshall <minshall@fiberlane.com> writes:
Greg> operating and managing the internet (and smaller intranets). For
Greg> example, these days we are able to measure traffic growth by
Greg> application type ("how much of the traffic is HTTP traffic and how
Greg> is that changing over time?" is typical of the questions we ask
This provides classification data on application type. That is one
use... and I tend to agree with you.
Greg> there). When debugging problems, correlating packets observed with
Greg> known application behaviours ("oh, yes, that must be from a buggy
Greg> version of TN3270") is often useful. We occasionally would like to
How does having the port numbers help here? I'm not being critical, I'm
just trying to understand if this is really a different use of the port
numbers.
Greg> While it is quite possible that the removal of port numbers from
Greg> the cleartext payload will *not* adversely affect the operating of
Greg> the internet, i worry that it may impact things negatively.
I'm afraid that a lot of us want to keep our traffic patterns private.
AH does provide for counting of traffic, and may see significant use
for securing TCP sessions against flooding.
Greg> If i were to summarize what i would like to see done, it would be
Greg> to provide room in the cleartext portion of the IPSEC header for
Greg> "32 bits of source and destination port numbers (or their
Oops, no changing bits on the wire at this point, PLEASE.
Greg> equivalent) in protocols that have the concept of port numbers",
Greg> along with "advice to implementors" that the ultimate receiver
Greg> should use these bits, if not zero, to replace the port numbers
Greg> carried within the encrypted payload. (Applications worried about
Greg> port-based traffic analysis would be able to use zeroes in the
Greg> cleartext header.)
Why should the authenticated port numbers be replaced with unauthenticated
ones? That seems very wrong to me.
I think perhaps you really want an IP option (not sure if it should be
hop-by-hop or destination... probably destination) that provides a "service
number" --- HTTP would always use 80, even if the actual HTTP server was
on a different port.
Greg> I am hoping that from the point of view of the entire IETF, we may
Greg> be able to decide that managing the network is important enough to
Greg> move the port numbers into the clear.
I understand that you want metering. For the inital adopters of IPsec,
the VPN people, this is entirely unacceptable. Further, for the purposes
of metering, the packets are not "HTTP" or "SMTP" packets, but "VPN"
packets, and the ESP header type pretty much tells you that.
For later adopters of IPsec, AH may predominate, either because the
application layer has its own encryption system, and one is simply
protecting the transport (e.g. CORBA or SSL over TCP), or it may be
public data anyway.
:!mcr!: | Sandelman Software Works Corporation, Ottawa, ON
Michael Richardson |Network and security consulting and contract programming
Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBNRshP9iXVu0RiA21AQEzTgL/ewdreQsV/SnsdXx9WZCho0T8gqFqCrUP
rbvdDhkfUdOr39rVYrv9ZYrb40ebRc2a2K6ir9WgLgZmZu0UG9trfgdQVnSciGYi
5/K7YHlPSvfJXM8Kn5bnKQRXPXHhJRHJ
=Y4bI
-----END PGP SIGNATURE-----
References: